Merge branch 'master' into topic/jsiwek/coverity

.gitmodules

@@ -1,24 +1,24 @@
 [submodule "aux/bro-aux"]
 	path = aux/bro-aux
-	url = ../bro-aux
+	url = git://git.bro.org/bro-aux
 [submodule "aux/binpac"]
 	path = aux/binpac
-	url = ../binpac
+	url = git://git.bro.org/binpac
 [submodule "aux/broccoli"]
 	path = aux/broccoli
-	url = ../broccoli
+	url = git://git.bro.org/broccoli
 [submodule "aux/broctl"]
 	path = aux/broctl
-	url = ../broctl
+	url = git://git.bro.org/broctl
 [submodule "aux/btest"]
 	path = aux/btest
-	url = ../btest
+	url = git://git.bro.org/btest
 [submodule "cmake"]
 	path = cmake
-	url = ../cmake
+	url = git://git.bro.org/cmake
 [submodule "magic"]
 	path = magic
-	url = ../bromagic
+	url = git://git.bro.org/bromagic
 [submodule "src/3rdparty"]
 	path = src/3rdparty
-	url = ../bro-3rdparty
+	url = git://git.bro.org/bro-3rdparty

Makefile

@@ -44,13 +44,14 @@ broxygenclean: configured
 dist:
 	@rm -rf $(VERSION_FULL) $(VERSION_FULL).tgz
 	@rm -rf $(VERSION_MIN) $(VERSION_MIN).tgz
-	@mkdir $(VERSION_FULL)
-	@tar --exclude=$(VERSION_FULL)* --exclude=$(VERSION_MIN)* --exclude=.git -cf - . | ( cd $(VERSION_FULL) && tar -xpf - )
-	@( cd $(VERSION_FULL) && cp -R ../.git . && git reset -q --hard HEAD && git clean -xdfq && rm -rf .git )
+	@git clone --recursive . $(VERSION_FULL) >/dev/null 2>&1
+	@find $(VERSION_FULL) -name .git\* | xargs rm -rf
 	@tar -czf $(VERSION_FULL).tgz $(VERSION_FULL) && echo Package: $(VERSION_FULL).tgz && rm -rf $(VERSION_FULL)
-	@$(HAVE_MODULES) && mkdir $(VERSION_MIN) || exit 0
-	@$(HAVE_MODULES) && tar --exclude=$(VERSION_FULL)* --exclude=$(VERSION_MIN)* --exclude=.git `git submodule | awk '{print "--exclude="$$2}' | grep -v cmake | tr '\n' ' '` -cf - . | ( cd $(VERSION_MIN) && tar -xpf - ) || exit 0
-	@$(HAVE_MODULES) && ( cd $(VERSION_MIN) && cp -R ../.git . && git reset -q --hard HEAD && git clean -xdfq && rm -rf .git ) || exit 0
+	@$(HAVE_MODULES) && git clone . $(VERSION_MIN) >/dev/null 2>&1 || exit 0
+	@$(HAVE_MODULES) && (cd $(VERSION_MIN) && git submodule update --init cmake >/dev/null 2>&1) || exit 0
+	@$(HAVE_MODULES) && (cd $(VERSION_MIN) && git submodule update --init src/3rdparty >/dev/null 2>&1) || exit 0
+	@$(HAVE_MODULES) && (cd $(VERSION_MIN) && git submodule update --init magic >/dev/null 2>&1) || exit 0
+	@$(HAVE_MODULES) && find $(VERSION_MIN) -name .git\* | xargs rm -rf || exit 0
 	@$(HAVE_MODULES) && tar -czf $(VERSION_MIN).tgz $(VERSION_MIN) && echo Package: $(VERSION_MIN).tgz && rm -rf $(VERSION_MIN) || exit 0
 
 bindist:
@@ -65,6 +66,7 @@ test:
 
 test-all: test
 	test -d aux/broctl && ( cd aux/broctl && make test )
+	test -d aux/btest  && ( cd aux/btest && make test )
 
 configured:
 	@test -d $(BUILD) || ( echo "Error: No build/ directory found. Did you run configure?" && exit 1 )

NEWS

@@ -1,53 +1,147 @@
 
 This document summarizes the most important changes in the current Bro
-release. For a complete list of changes, see the ``CHANGES`` file
+release. For an exhaustive list of changes, see the ``CHANGES`` file
 (note that submodules, such as BroControl and Broccoli, come with
-their own CHANGES.)
+their own ``CHANGES``.)
 
-Bro 2.2 (Work In Progress)
-==========================
+Bro 2.2 Beta
+============
 
 New Functionality
 -----------------
 
+- A new file analysis framework moves most of the processing of file
+  content from script-land into the core, where it belongs. See
+  ``doc/file-analysis.rst``, or the online documentation, for more
+  information.
+
+  Much of this is an internal change, but the framework also comes
+  with the following user-visible functionality (some of that was
+  already available before but is done differently, and more
+  efficiently, now):
+
+      - HTTP:
+        * Identify MIME type of messages.
+        * Extract messages to disk.
+        * Compute MD5 for messages.
+
+      - SMTP:
+        * Identify MIME type of messages.
+        * Extract messages to disk.
+        * Compute MD5 for messages.
+        * Provide access to start of entity data.
+
+      - FTP data transfers:
+        * Identify MIME types of data.
+        * Record to disk.
+
+      - IRC DCC transfers: Record to disk.
+
+      - Support for analyzing data transfered via HTTP range requests.
+
+      - A binary input reader interfaces the input framework with the
+        file analysis, allowing to inject files on disk into Bro's
+        content processing.
+
+- A new framework for computing a wide array of summary statistics,
+  such as counters and thresholds checks, standard deviation and mean,
+  set cardinality, top K, and more. The framework operates in
+  real-time, independent of the underlying data, and can aggregate
+  information from many independent monitoring points (including
+  clusters). It provides a transparent, easy-to-use user interface,
+  and can optionally deploy a set of probabilistic data structures for
+  memory-efficient operation. The framework is located in 
+  ``scripts/base/frameworks/sumstats``.
+
+  A number of new applications now ship with Bro that are built on top
+  of the summary statistics framework:
+
+    * Scan detection: Detectors for port and address scans. See
+      ``policy/misc/scan.bro`` (these scan detectors used to exist in
+      Bro versions <2.0; it's now back, but quite different).
+
+    * Tracerouter detector: ``policy/misc/detect-traceroute.bro``
+      
+    * Web application detection/measurement:
+      ``policy/misc/app-stats/*``
+
+    * FTP and SSH brute-forcing detector:
+      ``policy/protocols/ftp/detect-bruteforcing.bro``,
+      ``policy/protocols/ssh/detect-bruteforcing.bro``
+
+    * HTTP-based SQL injection detector:
+      ``policy/protocols/http/detect-sqli.bro`` (existed before, but
+      now ported to the new framework)
+
+- GridFTP support. This is an extension to the standard FTP analyzer
+  and includes:
+
+      - An analyzer for the GSI mechanism of GSSAPI FTP AUTH method.
+        GSI authentication involves an encoded TLS/SSL handshake over
+        the FTP control session. For FTP sessions that attempt GSI
+        authentication, the ``service`` field of the connection log
+        will include ``gridftp`` (as well as also ``ftp`` and
+        ``ssl``).
+
+      - An example of a GridFTP data channel detection script. It
+        relies on the heuristics of GridFTP data channels commonly
+        default to SSL mutual authentication with a NULL bulk cipher
+        and that they usually transfer large datasets (default
+        threshold of script is 1 GB). For identified GridFTP data
+        channels, the ``services`` fields of the connection log will
+        include ``gridftp-data``.
+
+- Modbus and DNP3 support. Script-level support is only basic at this
+  point but see ``src/analyzer/protocol/{modbus,dnp3}/events.bif``, or
+  the online documentation, for the events Bro generates. For Modbus,
+  there are also some example policies in
+  ``policy/protocols/modbus/*``.
+
+- The documentation now includes a new introduction to writing Bro
+  scripts. See ``doc/scripting/index.rst`` or, much better, the online
+  version. There's also the beginning of a chapter on "Using Bro" in
+  ``doc/using/index.rst``.
+
 - GPRS Tunnelling Protocol (GTPv1) decapsulation.
 
-- GridFTP support. TODO: Extend.
+- The scripting language now provide "hooks", a new flavor of
+  functions that share characteristics of both standard functions and
+  events. They are like events in that multiple bodies can be defined
+  for the same hook identifier. They are more like functions in the
+  way they are invoked/called, because, unlike events, their execution
+  is immediate and they do not get scheduled through an event queue.
+  Also, a unique feature of a hook is that a given hook handler body
+  can short-circuit the execution of remaining hook handlers simply by
+  exiting from the body as a result of a ``break`` statement (as
+  opposed to a ``return`` or just reaching the end of the body). See
+  ``doc/scripts/builtins.rst``, or the online documentation, for more
+  informatin.
 
-- Modbus support. TODO: Extend.
+- Bro's language now has a working ``switch`` statement that generally
+  behaves like C-style switches (except that case labels can be
+  comprised of multiple literal constants delimited by commas).  Only
+  atomic types are allowed for now.  Case label bodies that don't
+  execute a ``return`` or ``break`` statement will fall through to
+  subsequent cases. A ``default`` case label is supported.
 
-- DNP3 support. TODO: Extend.
-
-- ssl.log now also records the subject client and issuer certificates.
-
-- Hooks: TODO: Briefly summarize the documention from
-  doc/scripts/builtins.rst here.
-
-- The ASCII writer can now output CSV files on a per filter basis.
-
-- Bro's language now has a working "switch" statement that generally
-  behaves like C-style switches except case labels can be comprised of
-  multiple literal constants delimited by commas.  Only atomic types
-  are allowed for now.  Case label bodies that don't execute a
-  "return" or "break" statement will fall through to subsequent cases.
-  A default case label is allowed.
-
-- Bro's language now has a new set of types "opaque of X". Opaque
+- Bro's language now has a new set of types ``opaque of X``. Opaque
   values can be passed around like other values but they can only be
   manipulated with BiF functions, not with other operators. Currently,
-  the following opaque types are supported:
+  the following opaque types are supported::
 
-        - opaque of md5
-        - opaque of sha1
-        - opaque of sha256
-        - opaquey of entropy.
+        opaque of md5
+        opaque of sha1
+        opaque of sha256
+        opaque of cardinality
+        opaque of topk
+        opaque of bloomfilter
 
-  They go along with the corrsponding BiF functions md5_*, sha1_*,
-  sha256_*, and entropy_*, respectively. Note that these functions
-  have changed their signatures to work with opaques types rather
-  than global state as it was before.
+  These go along with the corrsponding BiF functions ``md5_*``,
+  ``sha1_*``, ``sha256_*``, ``entropy_*``, etc. . Note that where
+  these functions existed before, they have changed their signatures
+  to work with opaques types rather than global state.
 
-- The scripting language now supports a constructing sets, tables,
+- The scripting language now supports constructing sets, tables,
   vectors, and records by name::
 
         type MyRecordType: record {
@@ -61,57 +155,33 @@ New Functionality
         global s = MySet([$c=1], [$c=2]);
 
 - Strings now support the subscript operator to extract individual
-  characters and substrings (e.g., s[4], s[1,5]). The index expression
-  can take up to two indices for the start and end index of the
-  substring to return (e.g. "mystring[1,3]").
+  characters and substrings (e.g., ``s[4]``, ``s[1,5]``). The index
+  expression can take up to two indices for the start and end index of
+  the substring to return (e.g. ``mystring[1,3]``).
 
-- Functions now support default parameters, e.g.:
+- Functions now support default parameters, e.g.::
 
-        global foo: function(s: string, t: string &default="abc", u: count &default=0);
+      global foo: function(s: string, t: string &default="abc", u: count &default=0);
 
-- Scripts can now use two new "magic constants" @DIR and @FILENAME
-  that expand to the directory path of the current script and just the
-  script file name without path, respectively. (Jon Siwek)
+- Scripts can now use two new "magic constants" ``@DIR`` and
+  ``@FILENAME`` that expand to the directory path of the current
+  script and just the script file name without path, respectively.
 
-- The new file analysis framework moves most of the processing of file
-  content from script-land into the core, where it belongs. See
-  doc/file-analysis.rst for more information.
+- ``ssl.log`` now also records the subject client and issuer
+  certificates.
 
-  Much of this is an internal change, but the framework also comes
-  with the following user-visibible functionality (some of that was
-  already available before, but done differently):
+- The ASCII writer can now output CSV files on a per filter basis.
 
-  [TODO: Update with changes from 984e9793db56.]
+- New SQLite reader and writer plugins for the logging framework allow
+  to read/write persistent data from on disk SQLite databases.
 
-      - A binary input reader interfaces the input framework with file
-        analysis, allowing to inject files on disk into Bro's
-        processing.
-
-      - Supports for analyzing data transfereed via HTTP range
-        requests.
-
-      - HTTP:
-        * Identify MIME type of message.
-        * Extract message to disk.
-        * Compute MD5 for messages.
-
-      - SMTP:
-        * Identify MIME type of message.
-        * Extract message to disk.
-        * Compute MD5 for messages.
-        * Provide access to start of entity data.
-
-      - FTP data transfers: Identify MIME type; record to disk.
-
-      - IRC DCC transfers: Record to disk.
-
-- New packet filter framework supports BPF-based load-balancing,
+- A new packet filter framework supports BPF-based load-balancing,
   shunting, and sampling; plus plugin support to customize filters
   dynamically.
 
 - Bro now provides Bloom filters of two kinds: basic Bloom filters
   supporting membership tests, and counting Bloom filters that track
-  the frequency of elements. The corresponding functions are:
+  the frequency of elements. The corresponding functions are::
 
     bloomfilter_basic_init(fp: double, capacity: count, name: string &default=""): opaque of bloomfilter
     bloomfilter_basic_init2(k: count, cells: count, name: string &default=""): opaque of bloomfilter
@@ -121,10 +191,11 @@ New Functionality
     bloomfilter_merge(bf1: opaque of bloomfilter, bf2: opaque of bloomfilter): opaque of bloomfilter
     bloomfilter_clear(bf: opaque of bloomfilter)
 
-  See <INSERT LINK> for full documentation.
+  See ``src/probabilistic/bloom-filter.bif``, or the online
+  documentation, for full documentation.
 
 - Bro now provides a probabilistic data structure for computing
-  "top k" elements. The corresponding functions are:
+  "top k" elements. The corresponding functions are::
 
     topk_init(size: count): opaque of topk
     topk_add(handle: opaque of topk, value: any)
@@ -136,73 +207,82 @@ New Functionality
     topk_merge(handle1: opaque of topk, handle2: opaque of topk)
     topk_merge_prune(handle1: opaque of topk, handle2: opaque of topk)
 
-  See <INSERT LINK> for full documentation.
+  See ``src/probabilistic/top-k.bif``, or the online documentation,
+  for full documentation.
 
-- base/utils/exec.bro provides a module to start external processes
-  asynchronously and retrieve their output on termination.
-  base/utils/dir.bro uses it to monitor a directory for changes, and
-  base/utils/active-http.bro for providing an interface for querying
-  remote web servers.
+- Bro now provides a probabilistic data structure for computing set
+  cardinality, using the HyperLogLog algorithm.  The corresponding
+  functions are::
 
-- Summary statistics framework. [Extend]
+    hll_cardinality_init(err: double, confidence: double): opaque of cardinality
+    hll_cardinality_add(handle: opaque of cardinality, elem: any): bool
+    hll_cardinality_merge_into(handle1: opaque of cardinality, handle2: opaque of cardinality): bool
+    hll_cardinality_estimate(handle: opaque of cardinality): double
+    hll_cardinality_copy(handle: opaque of cardinality): opaque of cardinality
 
-- A number of new applications build on top of the summary statistics
-  framework:
+  See ``src/probabilistic/cardinality-counter.bif``, or the online
+  documentation, for full documentation.
 
-    * Scan detection: Detectors for port and address scans return. See
-      policy/misc/scan.bro.
+- ``base/utils/exec.bro`` provides a module to start external
+  processes asynchronously and retrieve their output on termination.
+  ``base/utils/dir.bro`` uses it to monitor a directory for changes,
+  and ``base/utils/active-http.bro`` for providing an interface for
+  querying remote web servers.
 
-    * Tracerouter detector: policy/misc/detect-traceroute
+- BroControl can now pin Bro processes to CPUs on supported platforms:
+  To use CPU pinning, a new per-node option ``pin_cpus`` can be
+  specified in node.cfg if the OS is either Linux or FreeBSD.
 
-    * Web application detection/measurement: policy/misc/app-metrics.bro
+- BroControl comes with its own test-suite now. ``make test`` in
+  ``aux/broctl`` will run it.
 
-    * FTP brute-forcing detector: policy/protocols/ftp/detect-bruteforcing.bro
-
-    * HTTP-based SQL injection detector: policy/protocols/http/detect-sqli.bro
-      (existed before, but now ported to the new framework)
-
-    * SSH brute-forcing detector feeding the intelligence framework:
-      policy/protocols/ssh/detect-bruteforcing.bro
+In addition to these, Bro 2.2 comes with a large set of smaller
+extensions, tweaks, and fixes across the whole code base, including
+most submodules.
 
 Changed Functionality
 ---------------------
 
-- We removed the following, already deprecated, functionality:
+- The interface to extracting content from application-layer protocols
+  (including HTTP, SMTP, FTP) has changed significantly due to the
+  introduction of the new file analysis framework (see above).
+
+- Removed the following, already deprecated, functionality:
 
     * Scripting language:
-        - &disable_print_hook attribute.
+        - ``&disable_print_hook attribute``.
 
     * BiF functions:
-        - parse_dotted_addr(), dump_config(),
-          make_connection_persistent(), generate_idmef(),
-          split_complete()
+        - ``parse_dotted_addr()``, ``dump_config()``,
+          ``make_connection_persistent()``, ``generate_idmef()``,
+          ``split_complete()``
 
-        - md5_*, sha1_*, sha256_*, and entropy_* have all changed
-          their signatures to work with opaque types (see above).
+        - ``md5_*``, ``sha1_*``, ``sha256_*``, and ``entropy_*`` have
+          all changed their signatures to work with opaque types (see
+          above).
 
+- Removed a now unused argument from ``do_split`` helper function.
 
-- Removed a now unused argument from "do_split" helper function.
+- ``this`` is no longer a reserved keyword.
 
-- "this" is no longer a reserved keyword.
-
-- The Input Framework's update_finished event has been renamed to
-  end_of_data. It will now not only fire after table-reads have been
-  completed, but also after the last event of a whole-file-read (or
-  whole-db-read, etc.).
+- The Input Framework's ``update_finished`` event has been renamed to
+  ``end_of_data``. It will now not only fire after table-reads have
+  been completed, but also after the last event of a whole-file-read
+  (or whole-db-read, etc.).
 
 - Renamed the option defining the frequency of alarm summary mails to
-  'Logging::default_alarm_mail_interval'. When using BroControl, the
+  ``Logging::default_alarm_mail_interval``. When using BroControl, the
   value can now be set with the new broctl.cfg option
-  "MailAlarmsInterval".
+  ``MailAlarmsInterval``.
 
-- We have completely reworded the "notice_policy" mechanism. It now no
-  linger uses a record of policy items but a "hook", a new language
-  element that's roughly equivalent to a function with multiple
-  bodies. The documentation [TODO: insert link] describes how to use
-  the new notice policy. For existing code, the two main changes are:
+- We have completely rewritten the ``notice_policy`` mechanism. It now
+  no longer uses a record of policy items but a ``hook``, a new
+  language element that's roughly equivalent to a function with
+  multiple bodies (see above). For existing code, the two main changes
+  are:
 
-    - What used to be a "redef" of "Notice::policy" now becomes a hook
-      implementation. Example:
+    - What used to be a ``redef`` of ``Notice::policy`` now becomes a
+      hook implementation. Example:
 
       Old::
 
@@ -221,9 +301,9 @@ Changed Functionality
                 add n$actions[Notice::ACTION_EMAIL];
             }
 
-    - notice() is now likewise a hook, no longer an event. If you have
-      handlers for that event, you'll likely just need to change the
-      type accordingly. Example:
+    - notice() is now likewise a hook, no longer an event. If you
+      have handlers for that event, you'll likely just need to change
+      the type accordingly. Example:
 
       Old::
 
@@ -233,17 +313,17 @@ Changed Functionality
 
         hook notice(n: Notice::Info) { ... }
 
-- The notice_policy.log is gone. That's a result of the new notice
+- The ``notice_policy.log`` is gone. That's a result of the new notice
   policy setup.
 
-- Removed the byte_len() and length() bif functions. Use the ``|...|``
-  operator instead.
+- Removed the ``byte_len()`` and ``length()`` bif functions. Use the
+  ``|...|`` operator instead.
 
-- The SSH::Login notice has been superseded by an corresponding
-  intelligence framework observation (SSH::SUCCESSFUL_LOGIN).
+- The ``SSH::Login`` notice has been superseded by an corresponding
+  intelligence framework observation (``SSH::SUCCESSFUL_LOGIN``).
 
-- PacketFilter::all_packets has been replaced with
-  PacketFilter::enable_auto_protocol_capture_filters.
+- ``PacketFilter::all_packets`` has been replaced with
+  ``PacketFilter::enable_auto_protocol_capture_filters``.
 
 - We removed the BitTorrent DPD signatures pending further updates to
   that analyzer.

VERSION

@@ -1 +1 @@
-2.1-1368
+2.1-1387

aux/binpac

@@ -1 +1 @@
-Subproject commit eeb19daacc9f12bc4e7c885fa70e71f856a90b1f
+Subproject commit 3c29b917e59e8d8200f669d3d9729d36c34b9245

aux/bro-aux

@@ -1 +1 @@
-Subproject commit eb24e628648c7d7b931bdb57d38ab32c28296e72
+Subproject commit ee2d64928edc38b10e508bd577a22f52b024c992

aux/broccoli

@@ -1 +1 @@
-Subproject commit 5bcee430700f714b19a9e794de75cb42408c9ecf
+Subproject commit c0d5345bf25d25f6965f3201048344687bacc860

aux/broctl

@@ -1 +1 @@
-Subproject commit a4912816d7a50c882fa537dbeadac13449ca3716
+Subproject commit 3582f494de247784fc7634b319ddf99aef44b6e1

aux/btest

@@ -1 +1 @@
-Subproject commit 3918bd9f5f99863faec2501e5bc7839ffb17bdc9
+Subproject commit 6e940b73152a14ae63a4405f6a4bc23cf6cbeec1

doc/scripting/index.rst

@@ -10,13 +10,6 @@ Writing Bro Scripts
 Understanding Bro Scripts
 =========================
 
-.. todo::
-
-    The MHR integration has changed significantly since the text was
-    written. We need to update it, however I'm actually not sure this
-    script is a good introductory example anymore unfortunately.
-    -Robin
-
 Bro includes an event-driven scripting language that provides
 the primary means for an organization to extend and customize Bro's
 functionality. Virtually all of the output generated by Bro
@@ -33,96 +26,109 @@ are invalid.  This entire process is setup by telling Bro that should
 it see a server or client issue an SSL ``HELLO`` message, we want to know
 about the information about that connection.
 
-It's often the easiest to understand Bro's scripting language by
+It's often easiest to understand Bro's scripting language by
 looking at a complete script and breaking it down into its
 identifiable components.  In this example, we'll take a look at how
-Bro queries the `Team Cymru Malware hash registry
-<http://www.team-cymru.org/Services/MHR/>`_ for downloads via
-HTTP. Part of the Team Cymru Malware Hash registry includes the
-ability to do a host lookup on a domain with the format
-``MALWARE_HASH.malware.hash.cymru.com`` where ``MALWARE_HASH`` is the MD5 or
-SHA1 hash of a file.  Team Cymru also populates the TXT record of
-their DNS responses with both a "last seen" timestamp and a numerical
-"detection rate".  The important aspect to understand is Bro already
-generates hashes for files it can parse from HTTP streams, but the
-script ``detect-MHR.bro`` is responsible for generating the
-appropriate DNS lookup and parsing the response.
+Bro checks the SHA1 hash of various files extracted from network traffic
+against the `Team Cymru Malware hash registry
+<http://www.team-cymru.org/Services/MHR/>`_.  Part of the Team Cymru Malware
+Hash registry includes the ability to do a host lookup on a domain with the format
+``<MALWARE_HASH>.malware.hash.cymru.com`` where ``<MALWARE_HASH>`` is the SHA1 hash of a file.
+Team Cymru also populates the TXT record of their DNS responses with both a "first seen"
+timestamp and a numerical "detection rate".  The important aspect to understand is Bro already
+generating hashes for files via the Files framework, but it is the
+script ``detect-MHR.bro`` that is responsible for generating the
+appropriate DNS lookup, parsing the response, and generating a notice if appropriate.
 
 .. btest-include:: ${BRO_SRC_ROOT}/scripts/policy/frameworks/files/detect-MHR.bro
 
-Visually, there are three distinct sections of the script.  A base
-level with no indentation followed by an indented and formatted
-section explaining the custom variables being provided (``export``) and another
-indented and formatted section describing the instructions for a
-specific event (``event log_http``).  Don't get discouraged if you don't
+Visually, there are three distinct sections of the script.  First, there is a base
+level with no indentation where libraries are included in the script through ``@load``
+and a namespace is defined with ``module``.  This is followed by an indented and formatted
+section explaining the custom variables being provided (``export``) as part of the script's namespace.
+Finally there is a second indented and formatted section describing the instructions to take for a
+specific event (``event file_hash``).  Don't get discouraged if you don't
 understand every section of the script; we'll cover the basics of the
 script and much more in following sections.
 
 .. btest-include:: ${BRO_SRC_ROOT}/scripts/policy/frameworks/files/detect-MHR.bro
-   :lines: 7-11
+   :lines: 4-6
 
 Lines 7 and 8 of the script process the ``__load__.bro`` script in the
 respective directories being loaded.  The ``@load`` directives are
 often considered good practice or even just good manners when writing
-Bro scripts to make sure they can be
-used on their own. While it's unlikely that in a
+Bro scripts to make sure they can be used on their own. While it's unlikely that in a
 full production deployment of Bro these additional resources wouldn't
 already be loaded, it's not a bad habit to try to get into as you get
 more experienced with Bro scripting.  If you're just starting out,
-this level of granularity might not be entirely necessary though.  
+this level of granularity might not be entirely necessary.  The ``@load`` directives
+are ensuring the Files framework, the Notice framework and the script to hash all files has
+been loaded by Bro.
 
 .. btest-include:: ${BRO_SRC_ROOT}/scripts/policy/frameworks/files/detect-MHR.bro
-   :lines: 12-24
+   :lines: 10-31
 
 The export section redefines an enumerable constant that describes the
-type of notice we will generate with the logging framework.  Bro
-allows for redefinable constants, which at first, might seem
+type of notice we will generate with the Notice framework.  Bro
+allows for re-definable constants, which at first, might seem
 counter-intuitive.  We'll get more in-depth with constants in a later
 chapter, for now, think of them as variables that can only be altered
 before Bro starts running.  The notice type listed allows for the use
 of the :bro:id:`NOTICE` function to generate notices of type
-``Malware_Hash_Registry_Match`` as done in the next section.  Notices
+``TeamCymruMalwareHashRegistry::Match`` as done in the next section.  Notices
 allow Bro to generate some kind of extra notification beyond its
 default log types.  Often times, this extra notification comes in the
-form of an email generated and sent to a pre-configured address.  
+form of an email generated and sent to a preconfigured address, but can be altered
+depending on the needs of the deployment.  The export section is finished off with
+the definition of two constants that list the kind of files we want to match against and
+the minimum percentage of detection threshold in which we are interested.
+
+Up until this point, the script has merely done some basic setup.  With the next section,
+the script starts to define instructions to take in a given event.
 
 .. btest-include:: ${BRO_SRC_ROOT}/scripts/policy/frameworks/files/detect-MHR.bro
-   :lines: 26-44
+   :lines: 33-57
 
 The workhorse of the script is contained in the event handler for
-``log_http``.  The ``log_http`` event is defined as an event-hook in
-the :doc:`/scripts/base/protocols/http/main` script and allows scripts
-to handle a connection as it is being passed to the logging framework.
-The event handler is passed an :bro:type:`HTTP::Info` data structure
-which will be referred to as ``rec`` in body of the event handler.
+``file_hash``.  The ``file_hash`` event is defined in the
+:doc:`/scripts/base/bif/plugins/Bro_FileHash.events.bif.bro` script and allows scripts to access
+the information associated with a file for which Bro's file analysis framework has
+generated a hash.  The event handler is passed the file itself as ``f``, the type of digest
+algorithm used as ``kind`` and the hash generated as ``hash``.
 
-An ``if`` statement is used to check for the existence of a data structure
-named ``md5`` nested within the ``rec`` data structure.  Bro uses the ``$`` as
-a deference operator and as such, and it is employed in this script to
-check if ``rec$md5`` is present by including the ``?`` operator within the
-path.  If the ``rec`` data structure includes a nested data structure
-named ``md5``, the statement is processed as true and a local variable
-named ``hash_domain`` is provisioned and given a format string based on
-the contents of ``rec$md5`` to produce a valid DNS lookup.  
+On line 35, an ``if`` statement is used to check for the correct type of hash, in this case
+a SHA1 hash.  It also checks for a mime type we've defined as being of interest as defined in the
+constant ``match_file_types``.  The comparison is made against the expression ``f$mime_type``, which uses
+the ``$`` dereference operator to check the value ``mime_type`` inside the variable ``f``.  Once both
+values resolve to true, a local variable is defined to hold a string comprised of the SHA1 hash concatenated
+with ``.malware.hash.cymru.com``; this value will be the domain queried in the malware hash registry.
 
 The rest of the script is contained within a ``when`` block.  In
 short, a ``when`` block is used when Bro needs to perform asynchronous
-actions, such a DNS lookup, to ensure that performance isn't effected.
+actions, such as a DNS lookup, to ensure that performance isn't effected.
 The ``when`` block performs a DNS TXT lookup and stores the result
 in the local variable ``MHR_result``.  Effectively, processing for
 this event continues and upon receipt of the values returned by
 :bro:id:`lookup_hostname_txt`, the ``when`` block is executed.  The
-``when`` block splits the string returned into two seperate values and
-checks to ensure an expected format.  If the format is invalid, the
-script assumes that the hash wasn't found in the respository and
-processing is concluded.  If the format is as expected and the
-detection rate is above the threshold set by ``MHR_threshold``, two
-new local variables are created and used in the notice issued by
-:bro:id:`NOTICE`.
+``when`` block splits the string returned into a portion for the date on which
+the malware was first detected and the detection rate by splitting on an text space
+and storing the values returned in a local table variable.  In line 42, if the table
+returned by ``split1`` has two entries, indicating a successful split, we store the detection
+date in ``mhr_first_detect`` and the rate in ``mhr_detect_rate`` on lines 45 and 45 respectively
+using the appropriate conversion functions.  From this point on, Bro knows it has seen a file
+transmitted which has a hash that has been seen by the Team Cymru Malware Hash Registry, the rest
+of the script is dedicated to producing a notice.
 
-In approximately 15 lines of actual code, Bro provides an amazing
+On line 47, the detection time is processed into a string representation and stored in
+``readable_first_detected``.  The script then compares the detection rate against the
+``notice_threshold`` that was defined on line 30.  If the detection rate is high enough, the script
+creates a concise description of the notice on line 50, a possible URL to check the sample against
+virustotal.com's database, and makes the call to :bro:id:`NOTICE` to hand the relevant information
+off to the Notice framework.
+
+In approximately 25 lines of code, Bro provides an amazing
 utility that would be incredibly difficult to implement and deploy
-with other products.  In truth, claiming that Bro does this in 15
+with other products.  In truth, claiming that Bro does this in 25
 lines is a misdirection; there is a truly massive number of things
 going on behind-the-scenes in Bro, but it is the inclusion of the
 scripting language that gives analysts access to those underlying
@@ -168,7 +174,7 @@ the event, and a concise explanation of the functions use.
    :lines: 29-54
 
 Above is a segment of the documentation for the event
-:bro:id:`dns_request` (and the preceeding link points to the
+:bro:id:`dns_request` (and the preceding link points to the
 documentation generated out of that).  It's organized such that the
 documentation, commentary, and list of arguments precede the actual
 event definition used by Bro.  As Bro detects DNS requests being
@@ -197,13 +203,8 @@ such, there are events defined for the primary parts of the connection
 life-cycle as you'll see from the small selection of
 connection-related events below.  
 
-.. todo::
-
-   Update the line numbers, this isn't pulling in the right events
-   anymore but I don't know which ones it were.
-
 .. btest-include:: ${BRO_SRC_ROOT}/build/scripts/base/bif/event.bif.bro
-   :lines: 135-138,154,204-208,218,255-256,266,335-340,351
+   :lines: 69-72,88,106-109,129,132-137,148
 
 Of the events listed, the event that will give us the best insight
 into the connection record data type will be
@@ -245,7 +246,7 @@ information gleaned from the analysis of a connection as a complete
 unit.  To break down this collection of information, you will have to
 make use of use Bro's field delimiter ``$``.  For example, the
 originating host is referenced by ``c$id$orig_h`` which if given a
-narritive relates to ``orig_h`` which is a member of ``id`` which is
+narrative relates to ``orig_h`` which is a member of ``id`` which is
 a member of the data structure referred to as ``c`` that was passed
 into the event handler." Given that the responder port
 (``c$id$resp_p``) is ``53/tcp``, it's likely that Bro's base DNS scripts
@@ -343,7 +344,7 @@ Constants
 Bro also makes use of constants, which are denoted by the ``const``
 keyword.  Unlike globals, constants can only be set or altered at
 parse time if the ``&redef`` attribute has been used.  Afterwards (in
-runtime) the constants are unalterable.  In most cases, redefinable
+runtime) the constants are unalterable.  In most cases, re-definable
 constants are used in Bro scripts as containers for configuration
 options.  For example, the configuration option to log password
 decrypted from HTTP streams is stored in
@@ -359,7 +360,7 @@ following line to our ``site/local.bro`` file before firing up Bro.
 
 .. btest-include:: ${DOC_ROOT}/scripting/data_type_const_simple.bro
 
-While the idea of a redefinable constant might be odd, the constraint
+While the idea of a re-definable constant might be odd, the constraint
 that constants can only be altered at parse-time remains even with the
 ``&redef`` attribute.  In the code snippet below, a table of strings
 indexed by ports is declared as a constant before two values are added
@@ -417,7 +418,7 @@ The table below shows the atomic types used in Bro, of which the
 first four should seem familiar if you have some scripting experience,
 while the remaining six are less common in other languages. It should
 come as no surprise that a scripting language for a Network Security
-Monitoring platform has a fairly robust set of network centric data
+Monitoring platform has a fairly robust set of network-centric data
 types and taking note of them here may well save you a late night of
 reinventing the wheel.  
 
@@ -479,7 +480,7 @@ the ``for`` loop, the next element is chosen.  Since sets are not an
 ordered data type, you cannot guarantee the order of the elements as
 the ``for`` loop processes.
    
-To test for membership in a set the ``in`` statment can be combined
+To test for membership in a set the ``in`` statement can be combined
 with an ``if`` statement to return a true or false value.  If the
 exact element in the condition is already in the set, the condition
 returns true and the body executes.  The ``in`` statement can also be
@@ -546,7 +547,7 @@ iterate over, say, the directors; we have to iterate with the exact
 format as the keys themselves.  In this case, we need squared brackets
 surrounding four temporary variables to act as a collection for our
 iteration.  While this is a contrived example, we could easily have
-had keys containin IP addresses (``addr``), ports (``port``) and even a ``string``
+had keys containing IP addresses (``addr``), ports (``port``) and even a ``string``
 calculated as the result of a reverse hostname lookup.
 
 .. btest-include:: ${DOC_ROOT}/scripting/data_struct_table_complex.bro
@@ -647,7 +648,7 @@ subnet
 ~~~~~~
 
 Bro has full support for CIDR notation subnets as a base data type. 
-There is no need to manage the IP and the subnet mask as two seperate
+There is no need to manage the IP and the subnet mask as two separate
 entities when you can provide the same information in CIDR notation in
 your scripts.  The following example below uses a Bro script to
 determine if a series of IP addresses are within a set of subnets
@@ -807,7 +808,7 @@ composite type.  We have, in fact, already encountered a a complex
 example of the ``record`` data type in the earlier sections, the
 :bro:type:`connection` record passed to many events. Another one,
 :bro:type:`Conn::Info`, which corresponds to the fields logged into
-``conn.log``, is shown by the exerpt below.
+``conn.log``, is shown by the excerpt below.
 
 .. btest-include:: ${BRO_SRC_ROOT}/scripts/base/protocols/conn/main.bro
    :lines: 10-12,16,17,19,21,23,25,28,31,35,37,56,62,68,90,93,97,100,104,108,109,114
@@ -818,7 +819,7 @@ definition is within the confines of an export block, what is defined
 is, in fact, ``Conn::Info``.
 
 The formatting for a declaration of a record type in Bro includes the
-descriptive name of the type being defined and the seperate fields
+descriptive name of the type being defined and the separate fields
 that make up the record.  The individual fields that make up the new
 record are not limited in type or number as long as the name for each
 field is unique.
@@ -834,7 +835,7 @@ string, a set of ports, and a count to define a service type.  Also
 included is a function to print each field of a record in a formatted
 fashion and a :bro:id:`bro_init` event handler to show some
 functionality of working with records.  The definitions of the DNS and
-HTTP services are both done inline using squared brackets before being
+HTTP services are both done in-line using squared brackets before being
 passed to the ``print_service`` function.  The ``print_service``
 function makes use of the ``$`` dereference operator to access the
 fields within the newly defined Service record type.  
@@ -851,7 +852,7 @@ record.
    @TEST-EXEC: btest-rst-cmd bro ${DOC_ROOT}/scripting/data_struct_record_02.bro
 
 The example above includes a second record type in which a field is
-used as the data type for a set.  Records can be reapeatedly nested
+used as the data type for a set.  Records can be repeatedly nested
 within other records, their fields reachable through repeated chains
 of the ``$`` dereference operator.  
 
@@ -1128,7 +1129,7 @@ which we will cover shortly.
 +---------------------+------------------------------------------------------------------+----------------+----------------------------------------+
 | policy_items        | set[count]                                                       | &log &optional | Policy items that have been applied    |
 +---------------------+------------------------------------------------------------------+----------------+----------------------------------------+
-| email_body_sections | vector                                                           | &optinal       | Body of the email for email notices.   |
+| email_body_sections | vector                                                           | &optional       | Body of the email for email notices.   |
 +---------------------+------------------------------------------------------------------+----------------+----------------------------------------+
 | email_delay_tokens  | set[string]                                                      | &optional      | Delay functionality for email notices. |
 +---------------------+------------------------------------------------------------------+----------------+----------------------------------------+
@@ -1142,7 +1143,7 @@ has been heuristically detected and the originating hostname is one
 that would raise suspicion.  Effectively, the script attempts to
 define a list of hosts from which you would never want to see SSH
 traffic originating, like DNS servers, mail servers, etc.  To
-accomplish this, the script adhere's to the seperation of detection
+accomplish this, the script adheres to the separation of detection
 and reporting by detecting a behavior and raising a notice.  Whether
 or not that notice is acted upon is decided by the local Notice
 Policy, but the script attempts to supply as much information as
@@ -1226,7 +1227,7 @@ Bro.
 
 In the :doc:`/scripts/policy/protocols/ssl/expiring-certs` script
 which identifies when SSL certificates are set to expire and raises
-notices when it crosses a pre-defined threshold, the call to
+notices when it crosses a predefined threshold, the call to
 ``NOTICE`` above also sets the ``$identifier`` entry by concatenating
 the responder IP, port, and the hash of the certificate.  The
 selection of responder IP, port and certificate hash fits perfectly
@@ -1262,7 +1263,7 @@ In short, there will be notice policy considerations where a broad
 decision can be made based on the ``Notice::Type`` alone.  To
 facilitate these types of decisions, the Notice Framework supports
 Notice Policy shortcuts.  These shortcuts are implemented through the
-means of a group of data structures that map specific, pre-defined
+means of a group of data structures that map specific, predefined
 details and actions to the effective name of a notice.  Primarily
 implemented as a set or table of enumerables of :bro:type:`Notice::Type`,
 Notice Policy shortcuts can be placed as a single directive in your
@@ -1308,5 +1309,3 @@ Notice::emailed_types set while the shortcut below alters the length
 of time for which those notices will be suppressed.
 
 .. btest-include:: ${DOC_ROOT}/scripting/framework_notice_shortcuts_02.bro
-
-

src/Expr.cc

@@ -2442,7 +2442,7 @@ RefExpr::RefExpr(Expr* arg_op) : UnaryExpr(EXPR_REF, arg_op)
 	if ( IsError() )
 		return;
 
-	if ( ! is_assignable(op->Type()) )
+	if ( ! ::is_assignable(op->Type()) )
 		ExprError("illegal assignment target");
 	else
 		SetType(op->Type()->Ref());

src/input/readers/Raw.cc

@@ -73,15 +73,15 @@ void Raw::DoClose()
 
 	if ( execute && childpid > 0 && kill(childpid, 0) == 0 )
 		{
-		// kill child process
-		kill(childpid, SIGTERM);
+		// Kill child process group.
+		kill(-childpid, SIGTERM);
 
 		if ( forcekill )
 			{
 			usleep(200); // 200 msecs should be enough for anyone ;)
 
 			if ( kill(childpid, 0) == 0 ) // perhaps it is already gone
-				kill(childpid, SIGKILL);
+				kill(-childpid, SIGKILL);
 			}
 		}
 	}
@@ -146,6 +146,11 @@ bool Raw::Execute()
 	else if ( childpid == 0 )
 		{
 		// we are the child.
+
+		// Obtain a process group w/ child's PID.
+		if ( setpgid(0, 0) == -1 )
+			_exit(251);
+
 		close(pipes[stdout_in]);
 		if ( dup2(pipes[stdout_out], stdout_fileno) == -1 )
 			_exit(252);
@@ -180,6 +185,15 @@ bool Raw::Execute()
 	else
 		{
 		// we are the parent
+
+		// Parent also sets child process group immediately to avoid a race.
+		if ( setpgid(childpid, childpid) == -1 )
+			{
+			char buf[256];
+			strerror_r(errno, buf, sizeof(buf));
+			Warning(Fmt("Could not set child process group: %s", buf));
+			}
+
 		if ( ! UnlockForkMutex() )
 			return false;
 

testing/btest/Baseline/doc.sphinx.include-scripts_base_bif_event_bif_bro/output

@@ -2,24 +2,20 @@
 
 -- event.bif.bro
 
+## Generated for every new connection. This event is raised with the first
+## packet of a previously unknown connection. Bro uses a flow-based definition
+## of "connection" here that includes not only TCP sessions but also UDP and
+## ICMP flows.
+global new_connection: event(c: connection );
+## Generated when a TCP connection timed out. This event is raised when
+## no activity was seen for an interval of at least
+## :bro:id:`tcp_connection_linger`, and either one endpoint has already
+## closed the connection or one side never became active.
+global connection_timeout: event(c: connection );
+## Generated when a connection's internal state is about to be removed from
+## memory. Bro generates this event reliably once for every connection when it
+## is about to delete the internal state. As such, the event is well-suited for
 ## script-level cleanup that needs to be performed for every connection.  This
 ## event is generated not only for TCP sessions but also for UDP and ICMP
 ## flows.
-##
-##
-global connection_external: event(c: connection , tag: string );
-
-
-## Generated when a UDP session for a supported protocol has finished. Some of
-## Bro's application-layer UDP analyzers flag the end of a session by raising
-## Generated when a connection is seen that is marked as being expected.
-
-
-global ipv6_ext_headers: event(c: connection , p: pkt_hdr );
-##    their specifics differ slightly. Often, however, both will be raised for
-##    the same connection if some of its data is missing. We should eventually
-##    merge the two.
-global ack_above_hole: event(c: connection );
-
-
-##
+global connection_state_remove: event(c: connection );

testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro@2/output

@@ -2,8 +2,6 @@
 
 -- detect-MHR.bro
 
-
-module TeamCymruMalwareHashRegistry;
-
-export {
-	redef enum Notice::Type += {
+@load base/frameworks/files
+@load base/frameworks/notice
+@load frameworks/files/hash-all-files

testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro@3/output

@@ -2,6 +2,8 @@
 
 -- detect-MHR.bro
 
+export {
+	redef enum Notice::Type += {
 		## The hash value of a file transferred over HTTP matched in the
 		## malware hash registry.
 		Match
@@ -15,3 +17,10 @@
 	                         /application\/x-java-applet/ |
 	                         /application\/jar/ |
 	                         /video\/mp4/ &redef;
+
+	## The malware hash registry runs each malware sample through several A/V engines.
+	## Team Cymru returns a percentage to indicate how many A/V engines flagged the
+	## sample as malicious. This threshold allows you to require a minimum detection
+	## rate.
+	const notice_threshold = 10 &redef;
+}

testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro@4/output

@@ -2,13 +2,6 @@
 
 -- detect-MHR.bro
 
-	## The malware hash registry runs each malware sample through several A/V engines.
-	## Team Cymru returns a percentage to indicate how many A/V engines flagged the
-	## sample as malicious. This threshold allows you to require a minimum detection
-	## rate.
-	const notice_threshold = 10 &redef;
-}
-
 event file_hash(f: fa_file, kind: string, hash: string)
 	{
 	if ( kind=="sha1" && match_file_types in f$mime_type )
@@ -21,3 +14,16 @@ event file_hash(f: fa_file, kind: string, hash: string)
 			if ( |MHR_answer| == 2 )
 				{
 				local mhr_first_detected = double_to_time(to_double(MHR_answer[1]));
+				local mhr_detect_rate = to_count(MHR_answer[2]);
+
+				local readable_first_detected = strftime("%Y-%m-%d %H:%M:%S", mhr_first_detected);
+				if ( mhr_detect_rate >= notice_threshold )
+					{
+					local message = fmt("Malware Hash Registry Detection rate: %d%%  Last seen: %s", mhr_detect_rate, readable_first_detected);
+					local virustotal_url = fmt("https://www.virustotal.com/en/file/%s/analysis/", hash);
+					NOTICE([$note=Match, $msg=message, $sub=virustotal_url, $f=f]);
+					}
+				}
+			}
+		}
+	}

testing/btest/doc/sphinx/include-scripts_base_bif_event_bif_bro.btest

@@ -2,24 +2,20 @@
 
 -- event.bif.bro
 
+## Generated for every new connection. This event is raised with the first
+## packet of a previously unknown connection. Bro uses a flow-based definition
+## of "connection" here that includes not only TCP sessions but also UDP and
+## ICMP flows.
+global new_connection: event(c: connection );
+## Generated when a TCP connection timed out. This event is raised when
+## no activity was seen for an interval of at least
+## :bro:id:`tcp_connection_linger`, and either one endpoint has already
+## closed the connection or one side never became active.
+global connection_timeout: event(c: connection );
+## Generated when a connection's internal state is about to be removed from
+## memory. Bro generates this event reliably once for every connection when it
+## is about to delete the internal state. As such, the event is well-suited for
 ## script-level cleanup that needs to be performed for every connection.  This
 ## event is generated not only for TCP sessions but also for UDP and ICMP
 ## flows.
-##
-##
-global connection_external: event(c: connection , tag: string );
-
-
-## Generated when a UDP session for a supported protocol has finished. Some of
-## Bro's application-layer UDP analyzers flag the end of a session by raising
-## Generated when a connection is seen that is marked as being expected.
-
-
-global ipv6_ext_headers: event(c: connection , p: pkt_hdr );
-##    their specifics differ slightly. Often, however, both will be raised for
-##    the same connection if some of its data is missing. We should eventually
-##    merge the two.
-global ack_above_hole: event(c: connection );
-
-
-##
+global connection_state_remove: event(c: connection );

testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro@2.btest

@@ -2,8 +2,6 @@
 
 -- detect-MHR.bro
 
-
-module TeamCymruMalwareHashRegistry;
-
-export {
-	redef enum Notice::Type += {
+@load base/frameworks/files
+@load base/frameworks/notice
+@load frameworks/files/hash-all-files

testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro@3.btest

@@ -2,6 +2,8 @@
 
 -- detect-MHR.bro
 
+export {
+	redef enum Notice::Type += {
 		## The hash value of a file transferred over HTTP matched in the
 		## malware hash registry.
 		Match
@@ -15,3 +17,10 @@
 	                         /application\/x-java-applet/ |
 	                         /application\/jar/ |
 	                         /video\/mp4/ &redef;
+
+	## The malware hash registry runs each malware sample through several A/V engines.
+	## Team Cymru returns a percentage to indicate how many A/V engines flagged the
+	## sample as malicious. This threshold allows you to require a minimum detection
+	## rate.
+	const notice_threshold = 10 &redef;
+}

testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro@4.btest

@@ -2,13 +2,6 @@
 
 -- detect-MHR.bro
 
-	## The malware hash registry runs each malware sample through several A/V engines.
-	## Team Cymru returns a percentage to indicate how many A/V engines flagged the
-	## sample as malicious. This threshold allows you to require a minimum detection
-	## rate.
-	const notice_threshold = 10 &redef;
-}
-
 event file_hash(f: fa_file, kind: string, hash: string)
 	{
 	if ( kind=="sha1" && match_file_types in f$mime_type )
@@ -21,3 +14,16 @@ event file_hash(f: fa_file, kind: string, hash: string)
 			if ( |MHR_answer| == 2 )
 				{
 				local mhr_first_detected = double_to_time(to_double(MHR_answer[1]));
+				local mhr_detect_rate = to_count(MHR_answer[2]);
+
+				local readable_first_detected = strftime("%Y-%m-%d %H:%M:%S", mhr_first_detected);
+				if ( mhr_detect_rate >= notice_threshold )
+					{
+					local message = fmt("Malware Hash Registry Detection rate: %d%%  Last seen: %s", mhr_detect_rate, readable_first_detected);
+					local virustotal_url = fmt("https://www.virustotal.com/en/file/%s/analysis/", hash);
+					NOTICE([$note=Match, $msg=message, $sub=virustotal_url, $f=f]);
+					}
+				}
+			}
+		}
+	}